The EU Cybersecurity Package 2026: the next chapter on the horizon

The package consists of a proposed regulation revising the Cybersecurity Act (the “Cybersecurity Act 2” or “CSA2”) and a proposed directive amending the NIS2 Directive with targeted simplification measures. 

These proposals respond to an increasingly hostile cyber threat landscape in which state-backed actors and criminal organisations are targeting critical infrastructure with growing sophistication. At the same time, the Commission aims to reduce regulatory complexity and compliance burdens for businesses, in line with its broader simplification agenda.

In this article, we provide an overview of the two proposals and highlight the key changes that will shape the next chapter in cybersecurity legislation.

The Cybersecurity Act 2 — A New Regulation

The Cybersecurity Act 2-proposal is the latest addition to the wide range of cybersecurity legislation coming from the EU, which will repeal and replace the current 2019 Cybersecurity Act. It is built around four pillars: a stronger mandate for ENISA, the European cybersecurity regulator; a reform of the European Cybersecurity Certification Framework’; new rules for ICT supply chain cybersecurity; and simplified and coherent compliance by providing a single cybersecurity certification mechanism which can serve as proof of compliance throughout the EU.

A Stronger Mandate for ENISA

The EU Agency for Cybersecurity (ENISA) would receive a substantially expanded mandate and increased financial and human resources. The Commission wants ENISA to serve as the single EU-level point of expertise for cybersecurity, supporting both policy implementation and operational cooperation among Member States. In practice, this means ENISA will play a larger role in coordinating incident response, facilitating cross-border supervisory actions, and supporting the development of cybersecurity standards and tools, on top of its current mandate following from NIS2, the Cyber Resilience Act, and the Cyber Solidarity Act. 

A Reformed Certification Framework

The European Cybersecurity Certification Framework (ECCF), which has seen limited uptake since its introduction in 2019, would be fundamentally reformed. This framework was originally intended as an alternative to other security certification frameworks such as SOC2 and ISO27001. The CSA2 broadens the scope of the ECCF, streamlines the governance model, and introduces faster, more agile procedures for developing and updating certification schemes which aids companies in scope of cybersecurity legislation with showing they are compliant. 

A key innovation is the introduction of “cyber posture certification”: entities subject to NIS2 obligations would be able to obtain a certificate demonstrating their compliance with cybersecurity risk-management requirements. This certificate could serve as proof of compliance vis-à-vis national competent supervisory authorities, reducing the need for duplicative audits and supervisory checks. If implemented, this would prevent national diverging practices with various national cybersecurity frameworks and uncertainty whether compliance with international cybersecurity frameworks such as ISO27001 suffices for cybersecurity compliance.

The reformed ECCF is also designed to create synergies across different regulatory frameworks. Certification under the ECCF should facilitate compliance not only with NIS2 but also with requirements under the Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA), and even the General Data Protection Regulation, without prejudice to each framework’s specific certification requirements.

A New ICT Supply Chain Security Framework

An important aspect of the proposal for the Cybersecurity Act entails the proposed consequences for ICT supply-chain cybersecurity requirements. Currently, under NIS2 or more specific laws such as DORA, companies in scope need to ensure a common level of cybersecurity within their key suppliers. However, a clear pathway to a common standard is missing, which leads to a patchwork of diverging (national) approaches that the Commission considers a source of fragmentation within the internal market.

The CSA2 introduces a harmonised EU-level framework for ICT supply chain security as a next step towards harmonisation. This harmonised framework envisages a mechanism at EU level to identify countries posing cybersecurity concerns and to define risk-based measures for de-risking critical supply chains. Moreover, it provides clarity on which requirements companies in scope of these cybersecurity laws will need to pass on towards suppliers, and which requirements suppliers are exempt from. Before measures are imposed upon entities throughout the EU, an assessment of economic impacts would be performed, taking into account factors such as economic feasibility and available alternatives.

The proposal also targets non-technical risks such as dependencies on suppliers established in, or controlled by entities from third countries that pose a relatively higher cybersecurity concern (“high-risk suppliers”). A third country outside of the European Union may be designated as posing cybersecurity concerns if they have a duty to notify software or hardware vulnerabilities to the local authorities prior to them being exploited, irrespective of whether such a duty follows from laws or existing practices. Furthermore, such third countries may be designated if the European Commission finds that there is an absence of effective judicial remedies and independent and democratic control mechanisms that can correct the identified security concerns. A jurisdiction may further be designated if, based on substantiated information, that jurisdiction is found to harbour one or more incidents or threat actors which carry out malicious cyber activities or campaigns while that jurisdiction is unable or unwilling to cooperate with the European Commission or EU member states to address the risk stemming from such threat actors. Finally, jurisdictions may be identified as high-risk where relevant information stemming from EU-coordinated security risk assessments or reports by member states or international organisations gives reason to do so. 

The European Commission intends to draw up lists of high-risk suppliers after designation of a third country as a high-risk jurisdiction. Suppliers from high-risk jurisdictions would under the proposal no longer be an option for companies who want to be certified under the ECCF and are themselves not eligible for certification either. 

Simplified and Coherent Compliance

The CSA2 aims to reduce the compliance burden on businesses that are subject to multiple overlapping cybersecurity frameworks. By promoting certification as a cross-cutting compliance tool and aligning procedures across the NIS2 Directive, the CRA, DORA, and further sector-specific legislation, the proposal seeks to create a more predictable regulatory environment. Entities would spend fewer resources on duplicative compliance activities and more on strengthening their actual cybersecurity posture.

Targeted Amendments to the NIS2 Directive

As a result of the proposed CSA2, the European Commission has also proposed targeted amendments to the NIS2 Directive. These amendments are designed to clarify aspects that have proven challenging during transposition and implementation by Member States, and to align the NIS2 framework with the CSA2 Regulation. For the various member states which have not yet transposed NIS2 (including the Netherlands), these amendments may streamline the implementation process as they provide various clarifications. The proposed amendment to include an interim company size category further reduces the administrative burden for companies which are neither “fish nor fowl”, which have outgrown the classic small- and medium-sized enterprise parameters NIS2 imposed. 

Scope Clarifications and Expansion

The proposal clarifies the scope of the NIS2 Directive in several areas where uncertainty had arisen. Provisions relating to healthcare providers, electricity producers, hydrogen undertakings, and entities in the chemical sector are tightened up. For electricity producers specifically, only those with a total generation capacity exceeding 1 MW would fall within scope, provided they also meet the general size-cap rule.

At the same time, the scope is expanded even further. Providers of European Digital Identity Wallets and European Business Wallets would be classified as essential entities regardless of their size. Operators of submarine data transmission infrastructure — including cables, landing stations, and associated terrestrial infrastructure — would also be brought within scope. Additionally, entities identified as owners, managers, or operators of strategic dual-use infrastructure would be covered.

A New Category: Small Mid-Caps

A new category of “small mid-cap enterprises” is introduced. Entities of a type listed in Annex I to the NIS2 Directive that qualify as small mid-caps would generally be designated as important (rather than essential) entities, reducing both their compliance burden and the supervisory burden on national authorities. Micro and small domain name service providers would be removed from the scope entirely, following the target the Commission has set of cutting administrative costs by 25% overall and by 35% for small and medium-sized enterprises.

Harmonised Ransomware Reporting

The proposal introduces harmonised data collection on ransomware attacks at EU level. When the Commission adopts implementing acts on incident reporting, those acts would require entities to report whether they have detected a ransomware attack, the attack vector, and whether mitigation measures have been implemented.

In addition, upon request by the relevant computer security incident response team (CSIRT) or competent authority, entities would be required to share more sensitive information: whether a ransom demand was received, whether a ransom was paid, and if so, the amount and payment method, including cryptocurrency details. This information would be exchanged through confidential channels provided by the CSIRT. The proposal explicitly provides that reporting this information should not trigger additional obligations for the entity concerned. Entities are encouraged to appoint a dedicated point of contact for ransomware-related information exchange. Given the rise in ransomware-led cyber attacks and the devastating consequences they pose to the affected victims, this requirement aims to enable regulators to help in a crisis situation while also providing more insight into the state of play in cyber attacks at a central level. 

Post-Quantum Cryptography Migration

Member States would be required to adopt policies for the migration to post-quantum cryptography as part of their national cybersecurity strategies. Current cryptographic standards are increasingly becoming less secure due to the rise of computing power in quantum computing technology. As a result, current cryptographic standards may not be able to secure encrypted data with the progress made in quantum computing. Cyber attacks increasingly use a “harvest now, decrypt later” approach, raising the need to prepare for the post-quantum era. Therefore, a strategy for post-quantum cryptography which cannot be deciphered even by the most advanced computers currently available is needed. These policies should facilitate strategic planning, support tools for assessing the exposure of cryptographic assets to quantum risks and assist in creating migration plans. 

ENISA’s Enhanced Supervisory Role on NIS2 compliance

ENISA would gain a new role in supporting cross-border supervision of NIS2 compliance for entities that provide services in multiple Member States. Based on a comprehensive cross-border cybersecurity risk assessment, ENISA could recommend the establishment of joint examination teams and develop guidelines for joint supervisory actions with member state regulators. At the request of competent authorities, ENISA could also participate in supervisory activities and assist in assessing an entity’s implementation of cybersecurity risk-management measures.

Key Implications for Organisations

While these proposals are still at an early stage of the legislative process, several practical implications are already clear. Organisations currently subject to the NIS2 Directive should expect a more streamlined compliance landscape, with cyber posture certification offering a single route to demonstrating compliance across multiple frameworks. At the same time, the expanded scope means that new categories of entities — particularly digital wallet providers, submarine cable operators, and dual-use infrastructure operators — should begin to assess their readiness.

The supply chain security framework under the CSA2 may require organisations to review their dependencies on ICT suppliers from countries that could be designated as posing cybersecurity concerns. Although the details of this framework will be developed through secondary measures, the direction of travel is clear: de-risking ICT supply chains is a strategic priority for the EU.

Finally, the post-quantum cryptography requirements signal that organisations should start planning their migration away from current public-key cryptographic algorithms. The 2030 deadline for critical use cases is approaching, and early preparation will be essential.